Hi everyone.
Here some context:
- HaProxy in front of a MQTT Broker
- Would like to use HaProxy to verify the TLS
- We are using self-signed root-certificates with ECDSA
My understanding is that both { ssl_c_used } and { ssl_c_verify 0 } are needed (from this topic), but with ssl_c_used any connection fails. HaProxy keeps failing no matter the certificate in use.
I’m feeling that I’m missing something obvious, here the full configuration:
global
log stdout format raw local0 debug
defaults
log global
mode tcp
option tcplog
maxconn 1024000
timeout connect 30000
timeout client 600s
timeout server 600s
frontend vernemq_tcp
tcp-request inspect-delay 5s
bind *:8883 ssl crt /certs/ca.pem ssl-min-ver TLSv1.2
use_backend vernemq_tcp_back if { ssl_c_used } { ssl_c_verify 0 }
default_backend rejected_connections
backend vernemq_tcp_back
# Create a stick table for session persistence
stick-table type string len 32 size 100k expire 30m
# Use ClientID / client_identifier as persistence key
stick on req.payload(0,0),mqtt_field_value(connect,client_identifier)
server vernemq vernemq:1883 check
backend rejected_connections
tcp-request content reject
Let me know if the details are clear.
Any help or hint is appreciated!
1 post - 1 participant